Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
f2e2692d0c
|
|||
|
fd14ac7117
|
|||
|
306f6e12cd
|
|||
|
c7249ba743
|
|||
|
b26e8d212d
|
|||
|
6155787b59
|
|||
| b6904e4ed2 | |||
| 118baa38f8 | |||
| cab241a96e |
@@ -4,33 +4,28 @@ steps:
|
|||||||
settings:
|
settings:
|
||||||
repo: ${FORGE_NAME}/${CI_REPO}
|
repo: ${FORGE_NAME}/${CI_REPO}
|
||||||
registry:
|
registry:
|
||||||
from_secret: container_registry
|
from_secret: local_registry
|
||||||
tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG}
|
|
||||||
username:
|
username:
|
||||||
from_secret: container_registry_username
|
from_secret: local_username
|
||||||
password:
|
password:
|
||||||
from_secret: container_registry_password
|
from_secret: local_password
|
||||||
|
tags: ${CI_COMMIT_SHA}
|
||||||
dockerfile: Dockerfile
|
dockerfile: Dockerfile
|
||||||
when:
|
when:
|
||||||
- event: [push, tag]
|
- event: [push, tag]
|
||||||
scan_image:
|
|
||||||
image: aquasec/trivy
|
|
||||||
commands:
|
|
||||||
- trivy image $FORGE_NAME/$CI_REPO:$CI_COMMIT_SHA --quiet --exit-code 1
|
|
||||||
when:
|
|
||||||
- event: [push, tag]
|
|
||||||
build:
|
build:
|
||||||
image: plugins/kaniko
|
image: plugins/kaniko
|
||||||
settings:
|
settings:
|
||||||
repo: quay.io/wollud1969/k8s-admin-helper
|
repo: quay.io/wollud1969/k8s-admin-helper
|
||||||
registry: quay.io
|
registry:
|
||||||
tags:
|
from_secret: quay_registry
|
||||||
- latest
|
|
||||||
- ${CI_COMMIT_TAG}
|
|
||||||
username:
|
username:
|
||||||
from_secret: quay_username
|
from_secret: quay_username
|
||||||
password:
|
password:
|
||||||
from_secret: quay_password
|
from_secret: quay_password
|
||||||
|
tags:
|
||||||
|
- latest
|
||||||
|
- ${CI_COMMIT_TAG}
|
||||||
dockerfile: Dockerfile
|
dockerfile: Dockerfile
|
||||||
when:
|
when:
|
||||||
- event: [tag]
|
- event: [tag]
|
||||||
|
|||||||
@@ -1,12 +1,16 @@
|
|||||||
FROM alpine:latest
|
FROM alpine:3.22.2
|
||||||
|
|
||||||
ARG USER="user"
|
ARG USER="user"
|
||||||
|
|
||||||
RUN apk add --no-cache kubectl gpg bash && \
|
RUN apk add --no-cache kubectl gpg gpg-agent bash curl helm podman && \
|
||||||
addgroup $USER && \
|
addgroup $USER && \
|
||||||
adduser -G $USER -D $USER
|
adduser -G $USER -D $USER
|
||||||
|
|
||||||
|
COPY decrypt-secrets.sh /usr/local/bin/
|
||||||
|
|
||||||
USER $USER
|
USER $USER
|
||||||
WORKDIR /home/$USER
|
WORKDIR /home/$USER
|
||||||
|
|
||||||
|
RUN gpg -k
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
21
decrypt-secrets.sh
Executable file
21
decrypt-secrets.sh
Executable file
@@ -0,0 +1,21 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set the environment variable GPG_PASSPHRASE
|
||||||
|
# Pipe the encrypted data and
|
||||||
|
# - redirect the output into the destination file or
|
||||||
|
# - directly eval the output, in this case make sure ONLY variable definitions are in the file
|
||||||
|
#
|
||||||
|
# The second option would be
|
||||||
|
# eval "`cat secrets.asc | ./decrypt-secrets.sh`"
|
||||||
|
#
|
||||||
|
# To create the encrypted file use
|
||||||
|
# gpg --symmetric --cipher-algo AES256 --armor --output secrets.asc secrets.txt
|
||||||
|
# where secrets.txt is the cleartext file and secrets.asc will be the encrypted file.
|
||||||
|
# Make sure to use a good passphrase, make sure to store the passphrase safely.
|
||||||
|
#
|
||||||
|
# Adding the encrypted file secrets.asc to a source code repository is secure.
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --homedir /tmp/.gnupg --output -
|
||||||
Reference in New Issue
Block a user